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Abstract 

In this paper a proof system is developed for plan verification prob- 
lems {X}c{y} and {X}c{KWp} under 0-approximation semantics for 
Ak- Here, for a plan c, two sets X,Y of fluent literals, and a literal 
p, {X}c{Y} (resp. {X}c{KWp}) means that all literals of Y become 
true (resp. p becomes known) after executing c in any initial state in 
which all literals in X are true. Then, soundness and completeness 
are proved. The proof system allows verifying plans and generating 
plans as well. 

Key words: Plan Verification; 0- Approximation; Proof System 



1 Introduction 

Planning refers to the procedure of finding a sequence of actions(i.e., a plan) 
which leads a possible world from an initial state to a goal. In the early days 
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of Artificial Intelligence (AI), an agent (i.e., plan generator or executor) was 
assumed to have complete knowledge about the world but it turned out to be 
unrealistic. Therefore, planning under incomplete knowledge earns a lot of 
attention since late 1990s US El [221 HOl [HI IT] . A widely accepted solution 
is to equip the planner with actions for producing knowledge, also called 
sensing actions, and allow to use conditional plan^^ [211 [23 [231 [IS], i-e., 
plans containing conditional expressions (e.g., If-Then-Else structures). 

Consider the following example [2l] , say a bomb can only be safely defused 
if its alarm is switched off. Flipping the switch causes the alarm off if it is 
on and vice versa. At the beginning we only know the bomb is not disarmed 
and not exploded, however, we do not know whether or not the alarm is on, 
i.e., the knowledge about initial state of the domain is incomplete. An agent 
could correctly defuse the bomb by performing the conditional plan c below: 

check; If alarm_of f Then defuse Else {switch; defuse} 

in which check is a sensing action that produces the knowledge about the 
alarm. It is necessary to mention that there exists no feasible classical plans 
for this scenario, e.g., neither defuse nor switch; defuse could safely disarm 
the bomb. 

To describe and reason about domains with incomplete knowledge, a 
number of logical frameworks were proposed in the literature. One of well- 
established formalizations is the action language Ar [211 H] . In contrast to 
its first order antecedents [151 [22], -^k possesses a natural syntax and a tran- 
sition function based semantics, both together provides a flexible mechanism 
to model the change of an agent's knowledge in a simplified Kripke structure. 

In [21] the authors propose several semantics for Ak-, all of which, roughly 
speaking, are based on some transition function from pairs of actions and 
initial states to states. For convenience we use SB-semantics to denote the 
semantics based on the transition function which maps pairs of actions and 
c-states to c-states. Here, a c-state is a pair of a world state and a knowledge 
state which is a set of world states. One of the results in [3] is that the 
polynomial plan existence problem under SB-semantics is PSPACE-complete. 
Even we restrict the number of fluents determined by a sensing action, the 
existence of polynomial plan with limited number sensing actions is S^- 
complete [1]. To overcome the high complexity, Baral and Son [21] have 
proposed z- approximations, i = 0,1,---. It has been proved in that 
under some restricted conditions polynomial plan existence problem under 
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0- approximation is NP-complete, that is, it is still intractable because it is 
widely believed that there is no polynomial algorithm solving an NP-complete 
problem. 

Although modern planers are quite successful to produce and verify short 
plans they still face a great challenge to generate longer plans. There have 
been many efforts to construct transformations from planning or plan verifica- 
tion to other logic formalisms, for example, first-order logic (FOL) [TT|I^I2^. 
propositional satisfiability (SAT) [20], QBF satisfiability (QSAT), [HI [H], 
non-monotonic logics [TJ |3l [13] , and so on. These approaches provide ways to 
use existing solvers for planning and plan verification, they do not, however, 
tell us how to generate and verify new plans from old ones. 

It is well known that programming is generally also very hard, however, 
proof system for program verification allows one to construct new correct 
programs from shorter ones pLj. Similarly, proof systems for plan verification 
would be helpful for verifying and constructing longer correct plans. 

For a given domain description D, two sets X, Y of fluent literals, and 
a plan c, we consider the verification problem of determining whether D \= 
{X}c{Y}, that is, whether all literals of Y becomes true after executing c in 
any initial state in which all literals of X are true. It seems natural that from 
D ^ {X}ci{Y} and D ^ \Y}c2{Z} we should obtain D |= {X}ci; csjZ}. 
That is, 

{X}ci{y}, {Y}c^{Z} 
{X}ci-C2{Z} 

should be a valid rule. This paper is devoted to develop a sound and complete 
proof system for plan verification under 0- approximation. 

One important observation is that constructing proof sequences could also 
be considered as a procedure for generating plans. This feature is very useful 
for the agent to do so-called off-line planning [121 [5]. That is, when the agent 
is free from assigned tasks, she could continuously compute (short) proofs and 
store them into a well-maintained database. Such a database consists of a 
huge number of proofs of the form {X}c{y} after certain amount of time. 
W.l.o.g., we may assume these proofs are stored into a graph, where {X}, 
{Y} are nodes and c is an connecting edge. With such a database, the agent 
could do on-line query quickly. Precisely speaking, asking whether a plan d 
exists for leading state {X'} to {1^'}, is equivalent to look for a path d from 
{X'} to {Y'} in the graph. This is known as the PATH problem and could 
be easily computed (NL-complete, see [2Tj). 
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The paper is organized as follows. In Section 2 we mainly recall the 
language of Ak and the 0-approximation semantics. In addition, a few new 
lemmas are proved, which will be used in later sections. Section 3 is devoted 
to the construction of proof system. Soundness and completeness are proved. 
Section 4 concludes this paper. 

2 The Language Ak 

The language Ak [23] proposed by Baral & Son is a well known framework for 
reasoning about sensing actions and conditional planning. In this section we 
recall the syntax and the 0-approximation semantics of Ak , in addition we 
prove several new properties (e.g. the monotonicity of 0-transition function, 
see Lemma 12.11 below) which will be used in next section. 

2.1 Syntax of Ak 

Two disjoint non-empty sets of symbols, called fluent names (or fluents) and 
action names (or actions) are introduced as the alphabet of the language 
Ak ■ A fluent literal is either a fluent / or its negation -if. For a fluent /, 
by -1-1 / we mean /. For a fluent literal p, we define fln(j9) := / if p is a fluent 
/ or is -if. Given a set X of fluent literals, -iX is defined as {-ip \ p G X}, 
and fln(X) is defined as {fln(p) | p G X}. 

The language Ak uses four kinds propositions for describing a domain. 

An initial-knowledge proposition (which is called v-proposition in [2l]) is 
an expression of the form 

initially p (1) 

where jo is a fluent literal. Roughly speaking, the above proposition says that 
p is initially known to be true. 

An effect proposition {ef-proposition for short) is an expression of the form 

a casues p it pi, ■ ■ ■ ,pn (2) 

where a is an action and p, pi,--- ,Pn are fluent literals. We say p and 
{pi, ■ ■ ■ ,pn} are the effect and the precondition of the proposition, respec- 
tively. The intuitive meaning of the above proposition is that p is guaranteed 
to be true after the execution of action a in any state of the world where 
Pi, - ■ ■ ,Pn are true. If the precondition is empty then we drop the if part 
and simply say: a causes p. 
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An executability proposition {ex-proposition for short) is an expression of 
the form 

executable a it pi, ■ ■ ■ ,pn (3) 

where a is an action and Pi, - ■ ■ ,Pn are fluent hterals. Intuitively, it says that 
the action a is executable whenever pi, - ■ ■ ,Pn are true. For convenience, we 
call {pi, ■ ■ ■ ,Pn} the ex-preconditions of the proposition. 

A knowledge proposition {k-proposition for short) is of the form 

a determines / (4) 

where a is an action and / is a fluent. Intuitively, the above proposition says 
that after a is executed the agent will know whether / is true or false. 

A proposition is either an initial-knowledge proposition, or an ef-proposition, 
or an ex-proposition, or a k-proposition. Two initial-knowledge propositions 
initially / and initially g are called contradictory if f = -ig. Two effect 
propositions "a causes / if pi, ■ ■ ■ and "a causes g if qi, ■ ■ ■ , q^" are 
called contradictory if f = ^g and {pi, ■ ■ ■ H {^qi, • • • , ~igm} is empty. 

Definition 2.1 (^^) A domain description in Ak is a set of propositions 
D which does not contain 

(1) contradictory initial-knowledge propositions, 

(2) contradictory ef-propositions 

Actions occurring in knowledge propositions are called sensing actions, 
while actions occurring in effect propositions are called non-sensing actions. 
In this paper we request that for any domain description D the set of sensing 
actions in D and the set of non-sensing actions in D should be disjoint. 

Definition 2.2 (Conditional Plan A conditional plan is inductively 

defined as follows: 

1. The empty sequence of actions, denoted by [], is a conditional plan; 

2. If a is an action then a is a conditional plan; 

3. If ci and C2 are conditional plans then the combination ci; C2 is a con- 
ditional plan; 
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4- If Ci, ■ ■ ■ ,Cn (n > 1) are conditional plans and fi,--- ,ifn ore conjunc- 
tions of fluent literals (which are mutually exclusive but not necessarily 
exhaustive ) then the following is a conditional plan ( also called a case 
planj; 

case — 7- ci. ■ ■ ■ . ifn ^ Cn- endcase 

5. Nothing else is a conditional plan. 

Propositions are used to describe a domain, whereas queries are used to 
ask questions about the domain. For a plan c, a set X of fluent literals, and 
a fluent literal p, we have two kinds of queries: 

Knows X after c (5) 

Kwhether p after c (6) 

Intuitively, query of the form ([5]) asks whether all literals in X will be known 
to be true after executing c, while query of the form ([6]) asks whether p will 
be either known to be true or known to be false after executing c. 

2.2 0- Approximation Semantics 

In this section we arbitrarily fix a domain description D without contradic- 
tory propositions. From now on when we speak of fiuent names and action 
names we mean that they occur in propositions of D. 

According to ^23], an a-state is a pair (T, F) of two disjoint sets of fiuent 
names. A fiuent / is true (resp. false) in {T,F) if / G T (resp. f E F). 
Dually, -i/ is true (resp. false) if / is false (resp. true). For a fiuent name 
/ outside T U F, both / and ->/ are unknown. A fiuent literal p is called 
possibly true if it is not false (i.e., true or unknown). In the following we often 
use cr, 6 to denote a-states. For a. set X = {pi, ■ ■ ■ ,Pm} of fiuent literals, we 
say X is true in an a-state a if and only if every pi is true in cr, z = 1, m. 

An action a is said to be 0-executable in an a-state a if there exists an 
ex-proposition executable a if pi, ■ ■ ■ such that pi, - ■ ■ ,Pn are true in 
a. The following notations were introduced in pi] . 

(1) e^(a") := {/ I / is a fiuent and there exists "a causes / if pi, ■ ■ ■ ,Pn" 

in D such that pi, - ■ ■ ,Pn are true in a}. 

(2) e~(a) := {/ I / is a fiuent and there exists "a causes -i/ if pi, ■ ■ ■ ,p„" 

in D such that pi, ■ ■ ■ ,p„ are true in a}. 
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(3) F^{a) := {/ I / is a fluent and there exists "a causes / if pi, - ■ ■ ,Pn" 

in D such that pi, - ■ ■ ,Pn possibly true in a}. 

(4) F^{a) := {/ I / is a fluent and there exists "a causes -1/ if pi, ■ ■ ■ ,Pn" 

in D such that pi, - ■ ■ ,Pn are possible true in cr}. 

(5) K{a) := {/ I / is a fluent and "a determines /" is in D}. 

For an a-sate a = (T, F) and a non-sensing action a 0-executable in a, the 
result after executing a is defined as 

Reso(a, a) := ((T U e,+ (a)) \ (F U e;(a)) \ F+(a)) 

The extension order ^ on a-states is defined as follows [21]: 

(Ti, Fi) ^ (T2, F2) if and only if Ti C T2, Fi C F2. 

Please note that if (Ti, Fi) ^ (r2, F2) then for a fluent literal p we have 

• if p is true (resp. false) in (Ti, Fi) then p is true (resp. false) in (T2, F2), 

• if p is unknown in (T2, F2) then p must be unknown in (Ti, Fi), and 

• if p is possibly true in (r2, -^2) then p is possibly true in (Ti, Fi). 

Consequently, for any non-sensing action a and a-states ai and o"2 such that 
(Ti ^ (72 and a is 0-executable in a"i, we have 

• a is 0-executable in (72. 

• e+((Ti) C e+(a2), and e^(ai) C e^(a2). 

• i^+(a2) C F+(ai), and F„-(a2) C F-{a,). 
Then we have the following proposition. 

Proposition 2.1 For any non-sensing action a and a-states 0\ and 02 such 
that o\ -< (J2 and a is 0-executable in a\, we have 

Reso{a,ai) ^ Reso{a,a2)- 

The 0-transition function $0 of D is defined as follows [21]. 
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• If a is not 0-executable in fj, then ^o{a, a) := {J-}. 

• If a is 0-executable in a and a is a non-sensing action, ^Q{a,a) := 
{Reso(a, cj)}. 

• If a is 0-executable in a = (T, F) and a is a sensing action, then 
$o(a, a) := {(T', F') \ (T, F) ^ (T', F') and T' U F' = T U F U K{a)}. 

• $o(a,S) := U^g2'^o(«,f^)- 

Let Si, S2 be two sets of a-states, we write Si ^ S2 if for every a-state S 
in S2, there is an a-state a in Si such that a ^ 6. 

The next proposition follows directly from Proposition 12.11 and the defi- 
nition of ^Q{a,a) above. 

Proposition 2.2 Suppose ci ■< a2 and a is an action 0-executable in a\, 
then $o(ci5 cti) -< $0(0, <y'i) ■ 

The extended 0-transition function $0, which maps pairs of conditional 
plans and a-states into sets of a-states, is defined inductively as follows. 

Definition 2.3 (^) 

$o([],^) := W 
$o(a,a) := $o(a,a) 

When c is a case plan case ipi ^ ci. ■ ■ ■ . fk^Ck- endcase, 

$ (-^ ^\ / ^o(cj,cr), ififij is true m a, 

' {-L}, if non of (pi, - ■ ■ ,(pk is true in a. 

$o(ci; C2, a) := U.'e$o(ci,a) ^o(c2, cr') 

$o(c,±) := 
$o(c,S) := ^o(c,a). 

Remark 2.1 From the definitions above we know that transition functions 
$0 and $0 of a domain description D do not depends on any initial-knowledge 
proposition. In other words, if two domain descriptions Di and D2 contain 
the same non initial-knowledge propositions, then their transition functions 
coincide. 
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A condition plan c is 0-executable in cr if _L ^ $o(c, o"). 

Lemma 2.1 (Monotonicity Lemma) Let c he a plan, Si,S2 he two sets of 
a-states. Suppose Si ^ S2, and c is 0-executahle in every a-state on Si. 
Then $o(c,Si) ^8o(c,S2). 

Proof: We proceed by induction on the structure of the plan c. 

1. Suppose c consists of only an action a. Consider an arbitrary a-state 
(j'2 G $o(0'i ^2)- Then there is an a-state (T2 = (T2, F2) G S2 such that 
a'2 G ^o{a,a2). Since Si ^ S2, pick cti = (Ti,Fi) G Si such that 
o"i :< 02- It is sufficient to show that o'^ -< a'2 for some a[ G ^o{a, ai). 

If a is a non-sensing action a, then the assertion follows directly from 
Proposition 12.21 Suppose a is a sensing action. Then must be of the 
form {T2UX, F2UY) because a is a sensing action, here XUY = K{a). 
Then clearly {TiUX, FiUY) must be in $o('^i en)- The assertion follows 
since (Ti U X, Fi U y) ^ {T2 U X, F2 U F). 

2. Suppose c is case |)lan case (/^i — )■ ci. ■ ■ ■ . ^pk ^ Ck- endcase. Consider 
any a-state erg G $o(c, S2). Let ai G Si, cr2 G S2 be such that ai ^ (72 
and CTg G $o(c, (72). Since c is 0-executable in cti, some </?i is true in 
(Ti. Then is also true in a2 since ai ^ cr2. Then by the induction 
hypothesis, $o(c, cxi) = $o(cj,cri) ^ $0(^,0-2) = $o(c, 0-2). Thus, there 
is G $o(c, Si) such that a[ ^ (jg. Consequently, $o(c5 ^i) ^ $(c, S2) 

3. Suppose c = Ci;c2. By induction hypothesis <l'o(ci,Si) ^ $(ci,S2). 
Then by the definition of $0 we have 

$0(C, Si) = I U $0(C2, M I U *0(C2, O = $o(c, S2 

\a'e$o(ci,Si) / V'^"e*o(ci,S2) / 



An a-state a is called an initial a-state of D if p is true in a for any fluent 
literal p such that the initial-knowledge proposition "initially p" is in D. 

Suppose D is a domain description, c is a conditional plan, X is a set of 
fluent literals, and p a literals. The semantics for the queries are given below: 
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Definition 2.4 (l2^) 

• D \=Q Knows X after c if for every initial a-state a , the plan c is 
0-executahle in o, and X is true in every a-state in ^o{c,a). 

• D \=o Kwhether p after c if for every initial a-state a, the plan c 
is 0-executahle in a, and p is either true or false in every a-state in 
$o(c, a). 

Let Td := {/ | "initially /" G D}, Fd := {/ | "initially G D}. 
Obviously, (To, F^) is the least initial a-state of D, that is, (Tq, Fd) ^ a for 
any initial a-state a. The following lemma follows easily from Lemma 12.11 

Lemma 2.2 

• D 1=0 Knows X after c if and only if the plan c is 0-executahle in 
(Td, Fd), and X true true in every a-state in $(c, (To, Fd)). 

• D \=o Kwhether p after c if the plan c is 0-executahle in {Td,Fd), 
and p is either true or false in every a-state in $(c, {Td,Fd))- 

3 A Proof System for 0- Approximation 

A consistent set X of literals determines a unique a-state {Tx, Fx) by Tx : = 
{/ I / G X} and Fx '■= {/ | ~'f G X}. And conversely an a-state determines 
uniquely the set S(^t,f) '■= T U Obviously, p E X ii and only if p is true 
in (Tx, Fx) for any literal p. 

In the following we will not distinguish sets of literals and a-states from 
each other. For example, Reso(a, X)) is nothing but Reso(a, (Tx, Fx)) which 
can be regarded as a set of literals. Analogically, we have notations $o(c, X) 
and $o(c, X), which can be regarded as collections of sets of literals. 

Definition 3.1 Let D he a domain description without initial-knowledge 
propositions. Suppose X, Y are two sets of fluent literals. By D |=o {X}c{F} 
we mean DUini{X) \=q Knows Y after c. Here ini{X) = {initially p | p G 
X}. 

Remark 3.1 
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• The idea of the notation {X}c{y} comes from programming verifica- 
tion where in the sense of total correctness {Lp}P{ip} means that any 
computation of P starts in a state satisfying will terminates in a 
state satisfying i/j. (see e.g. |T]) 

• By Lemma [2l2| D \=o {X}c{Y} if and only if Y is true in every a-state 
in $o(c,X). 

Suppose D is a general domain description (that is, initially-knowledge 
propositions are allowed). Let D' be the set of all non-initial- knowledge 
propositions of D, and let X := {p \ "initially p" is in D}. Then D' |=o 
{X}c{y} is equivalent to D |=o Knows Y after c. 

3.1 The Proof System PR^ for Knows 

In the remainder of this section we fixed a domain description D without 
initial- knowledge propositions. We always use X, Y, X', Y' to denote consis- 
tent set of fluent literals. The proof system PR^j consists of the following 
groups of axioms and rules 1-6. 

AXIOM 1. (Empty) 

m[]{x}. 

AXIOM 2. (Non-sensing Action) 

{X}a{{Reso{a,X))}. 

Where a is a non-sensing action 0-executable in X. 

RULE 3. (Sensing Action) 

{XUX,}c{Y},--- ,{XUX,^}c{y} 
{X}a;c{Y} 

Where a is a sensing action 0-executable in X, and Xi,---Xm are 
all sets X' of fluent literals such that fin(X') = K{a) and X U X' is 
consistent. 

RULE 4. (Case) 

CX, {X}cf,c'{Y} 
{X}c;c'{Y} 

Where c is the case plan case (/^i — )■ Ci. ■ ■ ■. ~^ c^- endcase. 
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RULE 5. (Composition) 



RULE 6 (Consequence) 



{X}c,{Y'},{Y'}c,{Y} 
{X}c^-C2{Y} 



X' C X,{X'}c{Y'},Y (Z Y' 
{X}c{Y] • 



Definition 3.2 A proof sequence (or, derivation^ of PR% is a sequence 
{Xi}ci{Yi}, ■ ■ ■ ,{Xn}cn{Yn} such that each {Xj}cj{li} is either an axiom 
in PR% or is obtained from some of {Xi}ci{Yi}, - ■ ■ , {Xj_i}cj_i{Fj_i} by 
applying a rule in PR%. 

By D ho {X}c{y}, we mean that {X}c{Y} appears in some proof se- 
quence of PR^[), that is, {X}c{Y} can be derived from axioms and rules in 



D- 



PR"^ 



D :-- 



Example 3.1 ([24j) Let 

check determines alarmjof f 
defuse causes disarmed if alarm_of f 
defuse causes exploded if -lalarm-of f 
switch causes ^alarm_of f if alarmjof f 
switch causes alarmjof f if -lalarm-of f 
executable check if -^exploded 
executable switch if -^exploded 
executable defuse if -^exploded 

Let c' be the case plan: case -^alarrruof f — )■ switch, alarmjof f []■ endcase, 
and c be the plan: check] c'; defuse. Then the following is a proof sequence 
of VR% 

(1) {-^disarmed., -^exploded., -ialarm_of f}switch{-idisarmed, -^exploded, alarm_of f} 

(AXIOM 2) 

(2) {-idisarmed, -^exploded, -ialarm_of f}c' {-idisarmed, -^exploded, alarm_of f} 

((1) and RULE 4) 

(3) {^disarmed, -^exploded, alarm_of f}[]{-idisarmed, -^exploded, alarm_of f} 

(AXIOM 1) 
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(4) {-idisarmed, -^exploded, alarm_of f}c'{-idisarmed, -^exploded, alarm_of f} 

((3) and RULE 4) 

(5) {^disarmed, -^exploded} check; c' {^disarmed, -^exploded, alarm_of f} 

((2), (4) and RULE 3) 

(6) {^disarmed, -^exploded, alarni-of f}defuse{disarmed, -^exploded, alarm_of f} 

(AXIOM 2) 

(7) {-^disarmed, -iexploded}c{disarmed, -^exploded, alarm_of f} 

((6) and RULE 5) 

Remark 3.2 One important observation is that constructing a proof se- 
quence could also be considered as a procedure for generating plans. This 
feature is very useful for the agent to do so-called off-line planning [121 IS]- 
That is, when the agent is free from assigned tasks, she could continuously 
compute (short) proofs and store them into a well-maintained database. Such 
a database consists of a huge number of proofs of the form {X}c{y} after 
certain amount of time. W.l.o.g., we may assume these proofs are stored into 
a graph, where {X}, {Y} are nodes and c is an connecting edge. With such 
a database, the agent could do on-line query quickly. Precisely speaking, 
asking whether a plan c' exists for leading state {X'} to {Y'}, is equivalent 
to look for a path d from {X'} to {Y'} in the graph. This is known as the 
PATH problem and could be easily computed (NL-complete, see [21j). 

3.1.1 Soundness of PR°) 

Theorem 3.1 (Soundness of PR?)) PR% is sound. That is, for any condi- 
tional plan c and any consistent sets X,Y of fluent literals, D ho {X}c{y} 
implies D |=o {X}c{F}. 

Proof: Suppose D hg {X}c{y}. Then {X}c{y} has a derivation. We shall 
proceed by induction on the length of the derivation. Let $0 and $0 be 0- 
transition functions of D. Please note that for any set S of fluent literals, the 
0-transition functions of D U ini(S') are the same as $0 and $0j respectively 
(see Remark 12. ip . 

1. Suppose {X}c{y} is an axiom in AXIOM 1. Then X = Y and c = [ ]. 
Clearly, D ho {X}\]{X}. 
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2. Suppose {X}c{y} is an axiom in AXIOM 2, i.e., c consists of only a 
non-sensing action a which is 0-executable in X, and Y = Reso(a, X). 
Since $o(a,X) = {Reso(a,X)}, it follows that D |=o {X}a{Y}. 

3. Suppose {X}c{y} is obtained by applying a rule in RULE 3. Then 
c = a;ci for some sensing action a 0-executable in X, and {X}c{y} is 
obtained from {XUXi}ci{Y}, {XUXm}ci{Y}, where Xi,---Xm 
are all sets X' of fluent literals such that fln(X') = K{a) and X U X' 
is consistent. By the induction hypothesis, 

D^o{X[JX,}ci{Y}, for « = I,--- ,m. 

That is, all literals in Y are true in every set in ^q{ci,X U Xi). Please 
note that $o(a, X) = {X U Xi, - ■ ■ , X U Xm}. By the definition of $0 
(see Definition 12. 3p . 

m 

8o(c,x) = |J8o(ci,xux:). 

Therefore, D |=o {X}c{Y}. 

4. Suppose {X}c{y} is obtained by applying a rule in RULE 4. That 
is, c is a plan ci; C2, where ci is a case plan case ^pi c[. ■ ■ ■ . ipn ^ 
c^. endcase such that for some i G {1, ■ ■ • , n}, (pi X and {X}^^, C2{Y} 
has been derived. By the induction hypothesis, we have D \=q {X}^^; C2{Y}. 
By Definition [231 we have $o(c, X) = $0(02, $o(ci, cr)) = ^o(c2, $o(C', X)) = 
^o(Ci; C2,X). Then, all literals of Y are true in $o(c, X). Thus, D |=o 
{X}c{Y}. 

5. Suppose {X}c{F} is obtained from {X}ci{y} and {y}c2{F} by ap- 
plying a rule in RULE 5. By the inductive hypothesis, 

D 1=0 {X}ci{Y'} and D ho {Y'}c2{Y}. 

Then for any S G 8o(ci,X), we have Y' C S (i.e., {Ty',Fy') ^ 
{Ts,Fs)). Thus, by Lemma[2ll $o(c2,l^') ^ $o(c2,5). Then 

$o(c2,n^ U Mc2,S)\ =$o{c,X), 

\5G$o{ci,X) / 

It follows that D 1=0 {X}c{Y}. 
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6. Suppose {X}c{y} is obtained by applying a rule in RULE 6. That is, 
there is X' C X and Y' D Y such that {X'}c{y} has been derived. 
Then by the induction hypothesis, all literals in Y' is known to be true 
in ^q{c,X'), so are literals in Y. By Lemma [2.11 we have ^q{c,X') ^ 
$o(c,X). Therefore, D ho {X}c{Y}. 

Altogether, we complete the proof. ■ 
3.1.2 Completeness of PR% 

Theorem 3.2 (Completeness of PR^^) PR% is complete. That is, for any 
conditional plan c and any consistent sets X, Y of fluent literals, D \=o 
{X}c{Y} zmpHes D ho {X}c{Y}. 

Proof: Suppose D |=o {X}c{Y}. We shall show D ho {X}c{Y}. We shall 
proceed by induction on the structure of c. 

1. Suppose c consists of only an action a. Then a is 0-executable in X. 

• Case 1. a is a non-sensing action. Then all literals in Y are 
true in Reso(a,X), that is, Y C Reso(a,X). By Axiom 2, D hg 
{X}a{Reso(a, a:)}. Then by RULE 6, we obtain D hg {X}a{Y}. 

• Case 2. a is a sensing action. Consider any p &Y. We shall show 
p G X. Suppose otherwise, then X' := XU{^p} is still consistent. 
Then ^Q{a,X) ^ ^Q{a,X'). Thus p should also be true in every 
a-state in ^o{a,X'). On the other hand, -^p is true in every a- 
state in $o(a,A') since -^p G X'. This is a contradiction. Thus 
Y ex. Then for any set X' such that fin(X') = K{a) and XU A' 
is consistent, we have D ho {XU A'}[ Now applying RULE 
3 we obtain D ho {X}a{y}. 

2. Suppose c is a case plan case tpi ^ ci. • ■ ■ . ipm — )■ Cm- endcase. Since 
D 1=0 {A}c{y}, it follows that C A for some i (otherwise, c would 
not be 0-executable in A). Then D \=q {X}ci{Y}. By the induction 
hypothesis, D ho {X}ci{Y}. By RULE 4 we have D ho {X}c{Y}. 

3. Suppose c is a composition plan Ci; C2. We shall show the assertion by 
induction on the structure of Ci. 
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• Ci is a non-sensing action a. By Definition I2.3[ ^o{a; C2, X) = 
$o(c2, Reso(a, X)). By the induction hypothesis, D \-q {Reso{a, X)}c2 
By AXIOM 2 and RULE 5, we obtain D ho {X}c{Y}. 

• Ci is a sensing action a. Consider any X' such that fin(X') = K{a) 
and X U X' is consistent. Since D |=o {X}a; C2{Y}, it follows 
D 1=0 {X U X'}c2{Y}. Then by the induction hypothesis we have 
D ho {X U X'}c2{Y}. By RULE 3 we obtain D ho {X}a; C2{Y}. 

• c is a case plan case y^i — )■ ■ ■ ■ . (fm c^- endcase. Since c is 
0-executable in X, it follows that v?i C X for some i. Then D \=q 
{X}c[; C2{Y}. By the induction hypothesis. D hg {X}c'-; C2{Y}. 
By RULE 4 we have D hg {X}ci; C2{Y}. 

• ci is c[; c'l such that c' and c" are not empty. Then c is c'^^; (c'/; C2). 
Now c']^ is shorter. By the induction hypothesis, D ho {X}c{y}. 

Altogether, we complete the proof. ■ 



3.2 The Proof System PRKWj^ for Knows- Whether 

In this section we shall construct a proof system for reasoning about Kwhether 
p after c (here p is a fiuent literal). We also fix an arbitrary domain de- 
scription D without initial knowledge-propositions. Similar to the notation 
{X}c{y}, we introduce notation {X}c{KWp}. 

Definition 3.3 Let c be a plan, X be a consistent set of fluent literals, and 
p a fluent literal. By D \=q {X}c{KWp} we mean 

D U ini{X) \=q Kwhether p after c. 

Proof system PRKW^j consists of axioms and rules of groups 1-6 in Sec- 
tion |3lT] and the following groups 7-12. 

AXIOM 7. 

{X}a{KWf} 

Where a is a sensing action 0-executable in X, and / is a fiuent name 
such that the k-proposition "a determines /" belongs to D. 
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RULE 8. 



mc{{p}} 

{X}c{KWp} 



RULE 9. 

{X}c{KWp} 
{X}c{KW^p} 

RULE 10. (Sensing Action) 

{X U X,}c{KWp}, ■■■ ,{XU X^}c{KWp} 
{X}a; c{KWp} 

Where a is a sensing action 0-executable in X, and Xi,---X,m are 
all sets X' of fluent literals such that fln(X') = K{a) and X U X' is 
consistent. 

RULE 11. (Composition) 

{X}c,{Y}, {Y}c2{KWp} 
{X}c,;c2{KWp} 

RULE 12. (Case) 

ifi C X, {X}cf, c'jKWp} 
{X}c; d{KWp} 

Where c is the case plan case (^i — >■ ci. • • • . c^. endcaise. 

Definition 3.4 (Proof Sequence of PRKW^,) A Proof sequence (or, deriva- 
tion) of PRKW^ is a sequence of elements with the form {Si}ci{T} or 
{S}c{KWp} such that each element is either an axiom in PRKW^ or is 
obtained from some of previous elements by applying a rule in PRWK^. 

By D ho {S}c{KWp} , we mean that {S}c{KWp} appears in some proof 
sequence of PRKW%, that is {S}c{KWp} can be derived from axioms and 
rules in PRKW%. 

Remark 3.3 Please note that {X}c{KWp} never appears as a premise in a 
rule with consequence of the form {X'}c'{y}. Thus, {X}c{y} is derivable 
in PRKW2) if and only if it is derivable in PRjj. So, for derivability of 
{X}c{Y} in PRKW?), we stiU employ the notation D ho {X}c{Y}. 
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Theorem 3.3 (soundness of PRKWj-,) Given a plane, then D ho {X}c{KWp} 
implies D |=o {X}c{ifH^} for any consistent set X of fluent literals, and 
any fluent literal p. 

Proof: We can show this theorem by induction on the length of deriva- 
tions. By the soundness of PR?), there are six cases according to whether 
{S}c{KWp} is an axiom in AXIOM 7 or obtained by applying a rule in group 
8-12. For each case, the proof is easy. We omit the proof. ■ 

Theorem 3.4 (completeness of PRKW%) Given apian c, then D \=q {X}c{KWp} 
implies D ho {X}c{KWp} for any consistent set X of fluent literals, and any 
fluent literal p. 

Proof: We proceed by induction on the structure of c. Suppose D |=o 
{X}c{KWp}. 

1. c is empty. Then it must be that p E X or -ip e X. Then {X}[ ]{{p}} 

or {^}[ ]{{^P}} is derivable. Then by RULE 8-9 we can derive {X}[ ]{KWp}. 

2. c consists of only a sensing action a. Then a is 0-executable in X. 
U p e X, it is clearly that {X}a{{p}} is derivable. Prom RULE 8 
we derive {X}a{KWp}. By the same argument, if -ip G X, then 
D ho {X}a{KW-ip}, and then we can derive {X}a{KWp} by applying 
RULE 9. Now we suppose neither p nor -ip is in X. We claim that 
the k-proposition "a determines fln(p)" belongs to D (Otherwise, p 
and -ip would remain unknown in every a-statc in ^o{a,X). This 
contradicts the assumption D \=q {X}a{KWp}). Now wc have an 
axiom {X}a{KW fin{p)}. If p itself is a fluent name then we are down, 
else we derive {X}c{KWp} by applying RULE 9. 

3. c consists of only a non-sensing action a. Since D |=o {X}a{KWp}, it 
follows that a is 0-cxccutable X and cither p or -ip is true in Reso(a, X). 
That is, p G Res(a, X) or -^p G Res(a, X). Since D ho {X}a{Res(a, X)}, 
we have D ho {X}a{{p}} or D ho {X}a{{^p}}. Then either {X}a{KWp} 
or {X}a{KW-'p} can be derived by applying RULE 8. If {X}a{KW-ip} 

is derivable then we obtain {X}a{KWp} by applying RULE 9. 

4. c is a case plan of the form case — >■ ci. • • • . <^ — >■ c„. endcase. 

Then there must be some i G {1, • • • , rz} such that ^ X. Otherwise, 
c would not be 0-executable. Then we can see that D |=o {X}ci{KWp}. 
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By the induction hypothesis, we have D ho {X}cj{KWp}. Then we 
can derive {X}c{KWp} by RULE 12. 



5. Suppose c = ci; C2 such that ciand C2 are non-empty. We show D ho 
{XjcjKWjo} by induction on the structure of Ci. 

• Ci is a sensing action a. Let Xi, - ■ ■ Xm be all sets X' of flu- 
ent literals such that fln(X') = K{a) and X X' is consistent. 
Consider an arbitrary Xi. We have D |=o {X U Xj}c2{KWp} 
since $o(c2,-^ U X^) C <l>o(a;c2,X). By the induction hypothe- 
sis, D ho {X U Xi}c2{KWp}. Now by RULE 10 we can derive 
{X]a- C2{KWp}. 

• Ci is a non-sensing action a. Then a is 0-executable in X. Since 
$o(c2, Reso(a, X)) = ^o{a; C2, X), it follows that D \=q {Reso(a, X)}c2 
By the induction hypothesis, {Res(a, X)}c2{KWj9} is derivable. 
Please note that {X}a{Res(a, X)} is an axiom in AXIOM 2. By 
RULE 11, we can derive {X}a; C2{KWp}. 

• Ci is a case plan case ipi ^ c^. ■■■.(/?„—)■ c^. endcase. We 

know that X for some z G {1, ■ ■ ■ , n}. It follows that D |=o 
{X}c-; C2{KWp} since we have assumed D \=q {X}ci] C2{KWp}. 
By the induction hypothesis, D ho {S'lc-; C2{KWp}. Now apply- 
ing RULE 12 we can derive {X}ci] C2{KWp}. 

• ci = c'^; C2 such that c[, c'2 are not empty plan. Then c = c'l, {c'2; C2) ■ 
Now c'l is shorter. Then {X}c{KWp} is derivable by the induction 
hypothesis. 

Altogether, we complete the proof. ■ 

4 Conclusions 

In this paper, we have proposed a proof system for plan verification under 
0- approximation semantics introduced in |2l]. The proof system has the 
following advantages: it is self-contained, hence it does not rely on any par- 
ticular logic, and need not to pay extra costs to the process of translation; it 
could be used for both plan verification or plan generation. Particularly, we 
would like to point out that proof system based inference approach possesses 
a very desirable property for off-line planning. Simply speaking, it allows 
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the agent to produce and store (shorter) proofs into a database in spare time, 
and perform quick on-line planning by constructing requested proofs from 
the (shorter) proofs in the database. 

Please note that the construction of the proof systems PRKW^, depends 
essentially on the monotonicity property of $o (see Lemma [2.ip . According 
to [21], an action a is 1-executable in an a-state a if it is 0-executable in every 
complete a-state extending a. And if a non-sensing action a is 1-executable 
in (T, then Resi(a,(T) is defined as the intersection of all Reso(a,(T'), a' e 
Comp((T) which is the set of all complete a-states extending a. Obviously, 
Resi is monotonic, that is, if a ^ 6 then Resi (a, cr) ^ Resi(a,5). Thus 
the transition function $i and $i (for precise definition please see |21]) are 
also monotonic. Therefore, in PRKW^, if we replace {X}a{ResQ{a, X)} in 
AXIOM 2 by {X}a{Resi(a, X)}, and replace in all groups "0-executable" by 
"1-executable", we will obtain a sound and complete proof system PRKWj^ 
for plan verification under 1- approximation. Please note, however, since 1- 
exeutability is unlikely solvable in poly-time, to determine whether a rule in 
PRKWj;, is applicable seems intractable. 

The work of Matteo Baldoni et al [2] is closely related to our idea. They 
proposed a modal logic approach for reasoning about sensing actions, to- 
gether with goal directed proof procedure for generating conditional plans. 
The states of a world are represented in [2] as three valued models, so queries 
about Knows- Whether are not supported. Moreover, their approach does not 
provide reasoning about case plan, and the completeness of their proof pro- 
cedure is unknown. 

In the future, we shall further work on proof system for more powerful 
action logics. We shall consider the implementation of the proposed proof 
systems on top of Coq [TD] or Tableaux [5], and try to find applications in 
knowledge representation and reasoning. 
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